Windows To Go
A deployment guide
for education
January 2014
Table of
contents
1 Understanding Windows To Go
1 Windows To Go for IT
2 Windows To Go for faculty
2 Windows To Go for students
4 Preparing to use Windows To Go
4 Windows To Go limitations
5 Roaming with Windows To Go
5 Determine user setting storage
6 Determine remote access requirements
6 Determine host computer requirements
7 Select the USB drive for Windows To Go
7 Understand Windows To Go image creation
9 Creating a Windows To Go drive
9 Using the Windows To Go Creator Wizard
10 Using Windows PowerShell cmdlets
12 Starting a Windows To Go drive
13 Enabling the Windows Store
14 Activating Windows To Go workspaces
15 Managing Windows To Go
15 Group Policy settings related to the
Windows To Go workspace
17 Group Policy settings related to the host computer
18 Storing user data and settings
19 UE-V with Folder Redirection
19 Cloud storage
21 Configuring Windows To Go for remote access
22 Securing Windows To Go drives
23 Configuring BitLocker before distribution
23 Configuring BitLocker after distribution
25 Building multiple Windows To Go drives
26 Talking about Windows To Go
27 Conclusion
Windows To Go
A deployment guide for education
Windows To Go is a feature of the Windows 8.1 Enterprise operating system that
enables the operating system to run from a USB drive. Using Windows To Go in an
education environment provides numerous benefits to faculty and students alike. It
enables faculty and students to use a personalized copy of Windows 8.1 on virtually
any PC, at almost any location. This guide provides an overview of Windows To Go
deployment for schools. It is for IT pros and discusses the benefits, limitations, and
processes involved in deploying Windows To Go.
Understanding Windows To Go
Windows To Go creates a bootable Windows 8.1 image on a USB drive. This means that the
standardized Windows image already used on institution-owned devices now becomes available
with greatly increased portability and convenience. Users do not need to lug around a laptop
or other device to have their Windows desktop available: That desktop is now available on a
USB drive, and they can run it on any PC that is compatible with Windows 7, Windows 8, or
Windows 8.1.
Windows To Go for IT
Windows To Go helps IT in several ways:
" Portability Windows To Go enables IT to offer the flexibility of free seating. Faculty and
students can use their own Windows desktop from almost any PC in the school.
" Cost savings IT does not need to deploy individual computers but rather can deploy the
Windows To Go workspace on USB drives to provide a consistent, personalized Windows 8.1
experience. It is easy to setup and configure, and distribution is simple.
" Management Today s IT infrastructure uses Group Policy and technologies like BitLocker
Drive Encryption, Microsoft BranchCache, Application Virtualization, DirectAccess, and other
WINDOWS TO GO 1
advanced technologies to ensure highly reliable and secure services to users. Windows To Go
supports all of those technologies and more. You do not need to change your IT processes
and management tools to add Windows To Go to your IT infrastructure.
Windows To Go for faculty
Windows To Go gives faculty a consistent Windows 8.1 experience from almost anywhere. Is
seating available in a computer lab? Need to move to another classroom? The educator s personal
Windows 8.1 desktop is available at all of these locations by booting into the Windows To Go
workspace.
Faculty members use numerous tools to provide the best learning experience for the classroom,
such as Microsoft Office and the specialized Learning Management System (LMS). At the same
time, computers with that specialized software are typically shared among two or more educators,
making it difficult to find a time to get classroom-related administrative work done.
With a Windows To Go workspace, sharing a computer becomes a thing of the past. With Windows
To Go, any compatible computer, regardless of the operating system installed on it, can be used.
This means that faculty members can use a Windows To Go workspace at work, from home, or
from an off-campus location, providing the same experience regardless of location. Faculty are no
longer tethered to a specific computer, room, or building.
Windows To Go for students
Like faculty, students can benefit from the Windows To Go experience. Students can use a
Windows To Go workspace to boot into their own Windows workspace from home or from a free
seat in school. They can have the same personal Windows 8.1 experience in each classroom.
Students can also use Windows To Go workspaces to get their homework done and perform
research-related tasks by using specialized software without needing to install that software on
their own device. All they need is a compatible computer and USB drive, and the workspace is up
and running.
You can customize Windows To Go workspaces for particular curriculums, grade levels, and so
on, then distribute them to students. Doing so helps to facilitate the learning experience while
minimizing the time invested in configuring the technology.
Windows To Go workspaces have low replacement cost. If a student loses the USB drive with the
workspace on it or if the drive becomes damaged, it can be replaced at a much lower cost than a
PC.
WINDOWS TO GO 2
Additional resources:
"  Windows 8 Enterprise in Your Pocket at http://www.microsoft.com/en-us/windows/
enterprise/products-and-technologies/devices/windowstogo.aspx
"  Windows To Go: Frequently Asked Questions at http://technet.microsoft.com/en-us/library/
jj592680.aspx
WINDOWS TO GO 3
Preparing to use Windows To Go
This section describes the infrastructure-related items that you must consider for a Windows
To Go deployment and also provides considerations for that preparation. In addition to the
considerations that the following sections describe, see Windows 8.1 deployment planning: A guide
for education at http://www.microsoft.com/download/details.aspx?id=39682 for considerations
affecting any Windows 8.1 deployment in an educational institution.
Windows To Go limitations
Although Windows To Go is similar to a typical Windows 8.1 Enterprise installation on a PC, some
differences exist:
" No access to internal disks By default, the host computer s disks are not accessible by
a Windows To Go installation, and a USB drive with a Windows To Go workspace is not
accessible by the Windows operating system installed on the computer. You can eliminate
both of these limitations by using Group Policy. However, these restrictions are in place to
protect the security and privacy of the Windows To Go workspace, and to help prevent end-
user confusion.
" Recovery options are limited The Windows Recovery Environment (Windows RE) is not
available in Windows To Go, nor are refresh and reset options. You should re-provision the
Windows To Go workspace onto the USB drive in the event a Windows To Go workspace
becomes unrecoverable. Because recovery options are limited, Microsoft does not
recommend storing user data on the Windows To Go USB drive. Instead, use a network- or
cloud-based solution like Folder Redirection or SkyDrive.
" Trusted Platform Module (TPM) is not used The TPM is tied to a specific physical
computer. Therefore, because Windows To Go workspaces move among computers, the TPM
is not used in a Windows To Go workspace. In its place, a password is required for BitLocker
on a Windows To Go workspace.
" Windows Store is disabled (Windows 8 only) In Windows 8, the Windows Store is disabled
by default, because apps are tied to the computer itself. You can use Group Policy to enable
the Windows Store. In Windows 8.1, this limitation is gone, and the Windows Store is enabled
by default. Regardless of the Windows Store status, you can still sideload apps for which
you have installation files. For more information about sideloading Windows Store apps,
see Windows Store apps: A deployment guide for education at http://www.microsoft.com/
download/details.aspx?id=39685.
WINDOWS TO GO 4
" Hibernate is disabled Hibernation expects to find the same hardware when the operating
system resumes. Because Windows To Go workspaces will likely roam among computers,
hibernation is disabled. Like the Windows Store, you can re-enable hibernate, but only
enable hibernation if you are certain that the device will only be used on the same physical
computer.
Roaming with Windows To Go
During the boot process, Windows To Go examines the host computer s hardware and installs
the necessary device drivers. This process generally works well, especially if people will be
using Windows To Go on host computers with similar hardware configurations. However, if the
workspace will be used on different hardware with different device configurations, then you might
need to inject additional drivers into the image. Testing the image on the hardware is a key step to
ensure compatibility for the devices to be used with Windows To Go.
Some applications can bind to specific hardware. For example, an application might tie its licensing
or activation to the computer s hardware. If the Windows To Go workspace will be used on
multiple host computers with different hardware configurations, the applications might not roam.
Ensure that each application you are installing in a Windows To Go workspace supports roaming
or provide for an alternate method of using those applications, such as Windows Server 2012 R2
RemoteApp.
Students and faculty are not usually aware of which type of firmware their computers have, and
so they will likely boot their workspaces on different types. They can boot Windows To Go on
computers with different types of firmware. Computers certified for Windows 8.1 have Unified
Extensible Firmware Interface (UEFI), while Windows 7 computers use the legacy BIOS firmware.
Rather than creating separate workspaces for different firmware types, Windows To Go can boot
on either firmware type.
Determine user setting storage
Users need access to their data and settings within the Windows To Go workspace in addition
to their usual device. Determine how best to provide this access, whether through a user state
virtualization (USV) technology or through other means. Options include local storage, Microsoft
User Experience Virtualization (UE-V) with Folder Redirection and Offline Files, SkyDrive, Microsoft
Office 365, and other cloud-based storage solutions. Windows 8.1 also enables logon with a
Microsoft account, which includes the option of roaming for many user settings. This aspect of
Windows To Go is discussed in the section  Storing user data and settings on page 18 in this
guide.
WINDOWS TO GO 5
Determine remote access requirements
If Windows To Go workspaces will be used from off-campus locations,
then you might provide a method for remote access. You can do so
by using DirectAccess or by using an existing virtual private network
(VPN) solution. More detail on remote access is given in  Configuring
Windows To Go for remote access on page 21.
Determine host computer requirements
Windows To Go supports many different types of hardware. This
NOTE
support enables users to run Windows To Go workspaces on
hardware certified for Windows 8.1, Windows 8, and Windows 7 alike.
Windows To Go
Note the following host computer requirements: workspaces are not
supported on Windows RT
or Apple platforms.
" Booting The computer must be capable of booting from a USB
drive, and the drive must be directly connected; USB hubs are
not supported.
" Firmware The computer can use UEFI or BIOS.
" Graphics The computer should have Microsoft DirectX 9 with
Windows Display Driver Model 1.2 or later driver.
" Processor The computer should have a 1 GHz or faster
processor, and the architecture can be 32 or 64 bit, as discussed
later in this guide.
" RAM The computer should have at least 2 GB of physical
memory.
" USB port The computer should have at least one USB 2.0 or
3.0 port.
When considering the processor architecture, the firmware is
an important consideration. Table 1 on page 7 describes the
processor architecture considerations for Windows To Go.
WINDOWS TO GO 6
TABLE 1 Processor
HOST FIRMWARE HOST PROCESSOR WINDOWS TO GO
Architecture and
ARCHITECTURE ARCHITECTURE
Windows To Go
BIOS 32-bit 32-bit only
BIOS 64-bit 32-bit and 64-bit
UEFI 32-bit 32-bit only
UEFI 64-bit 64-bit only
Select the USB drive for Windows To Go
The USB drive used for Windows To Go must be Windows To Go
certified. Windows To Go certified drives are optimized for the rate of
I/O operations necessary for Windows. They are capable of booting
on hardware certified for Windows 7, Windows 8, and Windows 8.1.
The drives have manufacturer warranties and are meant to be used
to support a typical Windows workload. Several hardware vendors
offer these drives in a variety of sizes. See  Windows To Go Overview
at http://technet.microsoft.com/en-us/library/hh831833.aspx#wtg_
hardware for a list of currently supported drives.
NOTE A Windows To Go image running Windows 8.1 can
boot from a drive that contains a built-in smart card. These
composite drives combine a mass storage drive and smart card
in one device. Windows 8.1 can enumerate the smart card when
booting from the Windows To Go drive or by connecting the NOTE
device to another host machine. For more information, see
You can also use Microsoft
 What s New in Smart Cards at http://technet.microsoft.com/
System Center 2012 R2
library/hh849637.aspx.
Configuration Manager
to distribute workspaces.
See the Microsoft TechNet
article  How to Provision
Windows To Go in
Understand Windows To Go image creation
Configuration Manager
at http://technet.
Ease of deployment is a key feature of Windows To Go. A Windows 8.1
microsoft.com/en-us/
release to manufacturing (RTM) image is all that is needed to begin
library/jj651035.aspx for
the Windows To Go image-creation process. Alternately, you can fully
more information.
WINDOWS TO GO 7
customize the image to include applications and other settings specific to the deployment. Users
with local administrator privileges and a Windows 8.1 Enterprise image (an unlikely scenario in an
education setting) can also create their own Windows To Go workspace. Therefore, school IT pros
will be the likely sole creators of Windows To Go workspaces.
If you do not customize the image, then you will need to provide for the resulting Windows To Go
workspace to be joined to the domain and for applications to be installed in the workspace. You
can use Group Policy to manage the workspace, and you may want to customize certain settings
for your environment. See the section  Managing Windows To Go on page 15 or the section
 Image deployment and drive provisioning considerations in the TechNet article  Deployment
Considerations for Windows To Go at http://technet.microsoft.com/en-us/library/jj592685.
aspx#wtg_imagedep for more information on these Group Policy settings and Windows To Go
deployment.
You can create a Windows To Go workspace by using the Windows To Go Creator Wizard or
Windows PowerShell cmdlets. After you have provisioned the workspace onto a USB drive,
you can duplicate the workspace onto other USB drives (assuming that the workspace has not
yet been started for the first time). See the TechNet article  Windows Deployment Options at
http://technet.microsoft.com/en-us/library/hh825230.aspx for more information on Windows
Deployment Options and the topic  Windows PowerShell equivalent commands in  Deploy
Windows To Go in Your Organization at http://technet.microsoft.com/en-us/library/jj721578.
aspx#BKMK_manualwtgimage for more information on manual Windows To Go image creation.
Additional resources:
"  Deployment Consideration for Windows To Go at http://technet.microsoft.com/en-us/
library/jj592685.aspx
"  Windows To Go: Feature Overview at http://technet.microsoft.com/library/hh831833.aspx
"  Tips for configuring your BIOS settings to work with Windows To Go at http://social.technet.
microsoft.com/wiki/contents/articles/12911.tips-for-configuring-your-bios-settings-to-work-
with-windows-to-go.aspx
WINDOWS TO GO 8
Creating a Windows To Go drive
You can use either of two primary methods to create a Windows To
Go drive:
" The Windows To Go Creator Wizard
" Windows PowerShell cmdlets
The method you use depends largely on the goals of the deployment
and the skills available for the deployment. Regardless of which
method you employ, the result is a USB drive with a Windows To Go
workspace on it.
Table 2 provides considerations to help you decide which method of
Windows To Go workspace creation is right for you.
TABLE 2 Choosing a
WINDOWS TO GO WINDOWS POWERSHELL
Windows To Go Creation
CREATOR WIZARD
Strategy
Number of " Few " Many workspaces with
workspaces needed potentially unique
configurations for each
" USB duplicator
Customizations " None " Custom provisioning
needed (e.g., offline domain join,
partitioning, BitLocker)
" Customized
required
image
Skills " IT generalist " IT pro with Windows
PowerShell experience
Using the Windows To Go Creator Wizard
The Windows To Go Creator Wizard is a simple way to create a
Windows To Go workspace quickly. The wizard creates a fully
functional workspace with just a few mouse clicks. Using the Windows
To Go Creator Wizard involves selecting the USB drive along with the
Windows image to be used for the deployment. To use the wizard,
you must have:
WINDOWS TO GO 9
" A Windows To Go certified USB drive connected to the
computer prior to starting the wizard
" A Windows 8.1 Enterprise image, either the RTM image or a
customized image that has been generalized with the Microsoft
System Preparation Tool (Sysprep)
" Local administrator privileges
You can enable BitLocker during the Windows To Go Creator
Wizard. If you will be using a drive duplicator to make copies of the
workspace, however, do not enable BitLocker from the wizard but
rather after deployment. See the topic  Enable BitLocker protection
for your Windows To Go drive in the TechNet article  Deploy
Windows To Go in Your Organization at http://technet.microsoft.
com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for more
information on enabling BitLocker.
The overall process for workspace creation involves the following
tasks:
1. Select the USB drive on which to create the Windows To Go
workspace.
NOTE
2. Select the Windows image to use as an installation source for the
workspace.
Always safely eject the
USB drive when the
3. Optionally, enable BitLocker on the workspace immediately.
provisioning process is
complete. Removing
The process of workspace creation takes 20 to 30 minutes, and the the drive in an unsafe
manner can result in an
result is that you have a Windows To Go workspace on the USB drive.
unbootable Windows To
From that point, you can either boot the workspace or duplicate it to
Go workspace.
other USB drives.
Using Windows PowerShell cmdlets
Use Windows PowerShell cmdlets to create Windows To Go
workspaces when you need additional flexibility. Windows PowerShell
enables you to create a custom, scripted solution for large-scale
Windows To Go workspace creation.
WINDOWS TO GO 10
The tools used to create a Windows To Go workspace are essentially the same tools you use to
manually provision and deploy Windows images. They include:
" Disk partitioning cmdlets such as Clear-Disk, Initialize-Disk, New-Partition, Format-
Volume, and so on
" Deployment Image Servicing and Management (DISM)
" Bcdboot
You use these tools to perform the same steps manually that the Windows To Go Creator Wizard
performs. The process includes the following tasks:
1. Partition the USB drive, including FAT32- and NTFS file system formatted partitions.
2. Use DISM to apply the Windows image.
3. Use Bcdboot to enable the system to start on UEFI and BIOS systems.
4. Use DISM to apply a storage area network policy to prevent the internal disks from being
used.
5. Create an answer file to disable Windows RE.
Like the Windows To Go Creator Wizard, the result when using Windows PowerShell is that
you have a Windows To Go workspace on the USB drive. See  Deploy Windows To Go in Your
Organization at http://technet.microsoft.com/en-us/library/jj721578.aspx#BKMK_4wtgdeploy for
more information about scripting Windows To Go provisioning by using Windows PowerShell.
Additional resources:
"  Deploy Windows To Go In Your Organization at http://technet.microsoft.com/en-us/library/
jj721578.aspx
"  Getting Started with Windows PowerShell at http://technet.microsoft.com/en-us/library/
hh857337.aspx
" Windows PowerShell User s Guide at http://technet.microsoft.com/en-us/library/cc196356.
aspx
WINDOWS TO GO 11
Starting a Windows To Go drive
Users of Windows To Go need to configure the host computer to
NOTE
boot from USB. For devices running an earlier version of the Windows
operating system, the USB boot option can be enabled in the device s
Additional considerations
firmware, such as the BIOS. For computers running Windows 8 or exist when using a
computer running
Windows 8.1, the Windows To Go workspace can also be configured
Windows 7 as a host
to start using Windows To Go Startup Options. On the Start screen,
computer. See  Tips for
press the Windows logo key + W, and then search for Windows To
configuring your BIOS
Go startup options to configure the computer to boot from a USB
settings to work with
drive. Changing this setting requires administrator privileges. You can
Windows To Go at http://
also set the option to boot from a USB drive by using Group Policy for
social.technet.microsoft.
com/wiki/contents/
Windows 8 and Windows 8.1.
articles/12911.tips-for-
configuring-your-bios-
Regardless of whether you are using a Windows 7 host computer or
settings-to-work-with-
a Windows 8.1 host computer, use caution when enabling boot from
windows-to-go.aspx for
USB devices. Doing so may open an attack vector if the computer is
more information.
booted from a USB drive containing malware.
When preparing a computer to boot into a Windows To Go
workspace, make sure the computer is not currently in a sleep
state. The USB drive with the Windows To Go workspace should be
connected directly to a USB port on the computer, not through a USB
hub.
Additional resources:
"  Deployment Considerations for Windows To Go at http://
technet.microsoft.com/en-us/library/jj592685.aspx
WINDOWS TO GO 12
Enabling the Windows Store
The Windows Store is enabled by default on Windows To Go drives running Windows 8.1. Users can
start the drive on any number of host computers, access the Windows Store, and run their apps.
In Windows 8, the Windows Store is disabled in a Windows To Go workspace by default, because
apps purchased through the Windows Store are tied to the device s hardware and can be installed
on as many as five devices. This means that the app will not run if the Windows To Go workspace is
booted from more than five different devices.
You can enable the Windows Store by using the Allow Store to install apps on Windows To Go
workspaces Group Policy setting found at \Computer Configuration\Administrative Templates\
Windows Components\Store. Use this policy setting when the workspace will be booted from the
same or a limited number of computers.
If the Windows Store will remain disabled, Microsoft recommends that you remove the default
Windows Store related apps, such as Sports or News, from the Windows To Go workspace image.
These apps are updated through the Windows Store and therefore cannot be updated with the
Windows Store disabled. Educational apps that you sideload are unaffected by this policy and can
still be loaded, run, and managed through normal app management processes.
Additional resources:
" Windows Store apps: A deployment guide for education at http://www.microsoft.com/
download/details.aspx?id=39685
"  Management of Windows To Go using Group Policy at http://technet.microsoft.com/en-us/
library/c598d28c-5829-42ce-8d43-a7a5a4382537#BKMK_wtggp
"  How to Add and Remove Apps at http://technet.microsoft.com/en-us/library/hh852635.
aspx
"  Managing Client Access to the Windows Store at http://technet.microsoft.com/en-us/
library/hh832040.aspx
"  Prepare Your Organization for Windows To Go at http://technet.microsoft.com/en-us/
library/0fd52a81-c871-4567-aaaf-bd29c2ee65d4
WINDOWS TO GO 13
Activating Windows To Go workspaces
Windows To Go can use Active Directory-Based Activation (ADBA) and Key Management Service
(KMS) activation, similar to a typical installation of Windows 8.1. However, Windows To Go cannot
use Multiple Activation Key (MAK) activation, as MAK activation binds to the host computer s
hardware. Windows To Go uses a standard Windows license and counts as an installation for
applicable licensing agreements.
The Windows To Go workspace needs to renew its activation every 180 days. It does this whenever
the workspace is booted within the school s network or when using a remote connection like
DirectAccess or a VPN. If workspaces are not used within the 180-day period, you will need to
reactivate them by connecting them to the network containing the ADBA or KMS services.
Applications to be used within the workspace might also need to be activated. Office 2013 uses the
same activation methods as Windows To Go, but software from other vendors, such as LMSs and
other educational applications, might have different licensing. Verify the Windows To Go usage
scenario with the appropriate vendors to ensure licensing compliance.
Additional resources:
"  Plan for Volume Activation at http://technet.microsoft.com/library/jj134042.aspx
"  Understanding KMS at http://technet.microsoft.com/en-us/library/ff793434.aspx
"  Active Directory-Based Activation Overview at http://technet.microsoft.com/en-us/library/
hh852637.aspx
"  Volume activation of Office 2013 at http://technet.microsoft.com/en-US/library/ee705504.
aspx
WINDOWS TO GO 14
Managing Windows To Go
You can use the same Windows management tools with which you are already familiar to manage
Windows To Go drives. You do not need to learn any new tools to manage Windows To Go within
your institution. For example, you can manage Windows To Go workspaces by using:
" Group Policy See  Group Policy at http://technet.microsoft.com/windowsserver/bb310732.
aspx for more information.
" Windows Intune See  Windows Intune at http://technet.microsoft.com/windows/intune.
aspx for more information.
" System Center 2012 Configuration Manager See  System Center Configuration Manager
at http://technet.microsoft.com/systemcenter/bb507744.aspx for more information.
You can also use Group Policy to manage Windows To Go, and Microsoft recommends that you
create a separate organizational unit (OU) for the Windows To Go workspaces and one for host
computers. You can use the OU for Windows To Go workspace to:
" Change settings for the Windows Store
" Change standby sleep states
" Change hibernate settings
You can use the OU for host computers to provide granular control over the Windows To Go
Startup Options so that only certain computers will be configured to boot from the USB drive.
Group Policy settings related to the Windows To Go workspace
The settings in the following list are particular to Windows To Go workspaces:
" Allow hibernate (S4) when started from a Windows To Go workspace This policy setting
specifies whether the PC can use the hibernation sleep state (S4) when started from a
Windows To Go workspace. By default, hibernation is disabled when using Windows To Go
workspaces, so enabling this setting explicitly turns the ability back on. When a computer
enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is
important that the hardware attached to the system as well as the disk itself are unchanged.
This is inherently incompatible with roaming between PC hosts. Hibernation should only be
used when the Windows To Go workspace is not being used to roam between host PCs.
WINDOWS TO GO 15
" Disallow standby sleep states (S1 S3) when starting from
NOTE
a Windows To Go workspace This policy setting specifies
whether the PC can use standby sleep states (S1 S3) when
For the host PC to resume
started from a Windows To Go workspace. The sleep state also correctly when hibernation
is enabled, the Windows
presents a unique challenge to Windows To Go users. When
To Go workspace must
a computer goes to sleep, it appears as if it were shut down.
continue to use the same
It would be easy for a user to think that a Windows To Go
USB port.
workspace in sleep mode were actually shut down, and the
user could remove the Windows To Go drive and take it home.
Removing the drive in this scenario is equivalent to an unclean
shutdown, which may result in the loss of unsaved user data or
the corruption of the drive.
Moreover, if the user now boots the drive on another PC and
brings it back to the first PC, which still happens to be in the
sleep state, it will lead to an arbitrary crash, and eventually
corruption of the drive results in the workspace being unusable.
If you enable this policy setting, the Windows To Go workspace
cannot use the standby states to cause the PC to enter sleep
mode. If you disable or do not configure this policy setting, the
Windows To Go workspace can place the PC in sleep mode.
" Allow Store to install apps on Windows To Go
workspaces This policy setting allows or denies access
to the Store application from a Windows To Go workspace
running Windows 8. (This policy does not apply to devices
running Windows 8.1.) If you enable this setting, access to
the Store application is allowed from the Windows To Go
workspace. Enable this policy setting only when the Windows
To Go workspace will be used with a single PC. When roaming
Windows To Go devices to multiple PCs, installing applications
from the Windows Store is not a supported scenario. However,
sideloaded Windows Store apps can run in Windows To Go
workspaces even when roamed among multiple PCs. If you
disable or do not configure this policy setting, access to the
Windows Store application is denied on the Windows To Go
workspace.
WINDOWS TO GO 16
Group Policy settings related to the host computer
The Windows To Go Default Startup Options policy setting
controls whether the host computer boots to Windows To Go if a
USB device containing a Windows To Go workspace is connected and
controls whether users can make changes using the Windows To
Go Startup Options settings dialog box. If you enable this policy
setting, booting to Windows To Go when a USB device is connected
will be enabled, and users will not be able to make changes using the
NOTE
Windows To Go Startup Options settings dialog box. If you disable
this policy setting, booting to Windows To Go when a USB device is
Enabling this policy
connected will not be enabled unless a user configures the option
setting causes PCs running
manually in the firmware. If you do not configure this policy setting, Windows 8.1 to attempt to
boot from any USB device
users who are members of the local Administrators group can enable
that is inserted into the PC
or disable booting from USB by using the Windows To Go Startup
before it is started.
Options settings dialog box.
Additional resources:
"  Prepare Your Organization for Windows To Go at http://
technet.microsoft.com/en-us/library/jj592678.aspx
"  Deployment Considerations for Windows To Go at http://
technet.microsoft.com/en-us/library/jj592685.aspx
WINDOWS TO GO 17
Storing user data and settings
In a typical Windows installation, user data and settings are stored on the computer s internal disk.
However, with Windows To Go, access to the internal disk is disabled. Data and settings are instead
stored within the workspace itself on the USB drive. Microsoft does not recommend this scenario.
The USB drive with the Windows To Go workspace contains no recovery options; therefore, if the
drive is lost or damaged, the user will lose their data and settings. With this in mind, users need a
method to access their data and settings from multiple locations when using the Windows To Go
workspace.
Multiple options are available for access to data and settings from within a Windows To Go
workspace. For example, UE-V with Folder Redirection and Offline Files is an excellent way to
separate data and settings from the workspace and enable them to roam. These technologies
require little infrastructure and are very easy to configure.
If the infrastructure or expertise is not available for these technologies, SkyDrive is also an option.
SkyDrive can be used to synchronize both data and some Windows 8.1 settings (e.g., Internet
Explorer Favorites, desktop wallpaper, and so on) when logging on to the Windows To Go
workspace with a Microsoft account.
Table 3 describes the options for data and setting storage.
TABLE 3 Options for Data and Setting Storage in Windows To Go
LOCAL STORAGE IN THE UE-V WITH FOLDER SKYDRIVE
WINDOWS TO GO REDIRECTION
WORKSPACE
Requires minimal
Requires agent
configuration; must
Requires no additional installation in the
Configuration log on with a Microsoft
configuration workspace and Group
account for settings to
Policy infrastructure
be synchronized
IT expertise None IT pro End user
Uses backup methods Cloud-based service
Backup None already in place in the that is backed up in the
infrastructure datacenter
Yes, as long as a
Data and settings
None Yes Microsoft account is
roaming
used
Bandwidth used None Intranet Internet
WINDOWS TO GO 18
UE-V with Folder Redirection
UE-V with Folder Redirection provides access to data and settings for a consistent desktop
experience no matter where the user logs on. It is the recommended method for providing access
to data and settings with Windows To Go, because it provides the best combination of flexibility
and manageability for most infrastructures.
UE-V with Folder Redirection consists of several components that combine to provide a seamless
virtualized experience:
" UE-V UE-V synchronizes users settings with a simple network file share. Changes made to
Windows and application settings will be synchronized with the file share and available when
users log onto their Windows To Go workspace or any domain-joined PC.
" Folder Redirection Folder Redirection stores user data and application-related data on a
file share so that user can access the data regardless of logon location.
" Offline Files Offline Files ensure that files and folders are accessible even if the device is
currently disconnected from the network. This includes the UE-V settings store and any
redirected folders. Configuring Offline Files is essential if students are allowed to take their
Windows To Go workspaces home with them.
Cloud storage
Cloud storage is a viable option for keeping user data in a Windows To Go deployment. When
considering cloud storage, SkyDrive and Office 365 provide many options.
Anyone can obtain SkyDrive storage, and Microsoft provides up to 7 GB of space at no cost. Users
can purchase additional space, if necessary. Visit http://windows.microsoft.com/en-US/skydrive/
for more information on SkyDrive. SkyDrive requires a Microsoft account, and students under
the age of 13 require parent authorization. For more information, see Windows 8.1 deployment
planning: A guide for education at http://www.microsoft.com/download/details.aspx?id=39682.
Office 365 also offers a full version of Office, with storage available in the cloud. This is a viable
option if Office will be the primary tool used in the Windows To Go deployment. Office 365 offers
educational institution plans, including a free tier for students and faculty.
With SkyDrive, both data and settings can be stored in the cloud. These settings can include things
like Internet Explorer favorites, desktop, and other settings. If SkyDrive is disabled through Group
Policy, it would also be disabled for both data and settings storage. However, if you create a new
OU for the Windows To Go drives, then SkyDrive could be enabled for that OU specifically.
WINDOWS TO GO 19
Additional resources:
" Windows User State Virtualization at http://technet.microsoft.com/en-us/library/ff877478.
aspx
"  User Experience Virtualization at http://technet.microsoft.com/en-us/windows/hh943107.
aspx
" SkyDrive website at http://windows.microsoft.com/en-US/skydrive/
"  Office 365 Deployment at http://technet.microsoft.com/en-us/library/hh852466.aspx
"  Security and Data Protection Considerations for Windows To Go at http://technet.microsoft.
com/en-us/library/jj592679.aspx
"  Supporting Information Workers with Reliable File Services and Storage at http://technet.
microsoft.com/en-us/library/hh831495
"  Folder Redirection, Offline Files, and Roaming User Profiles Overview at http://technet.
microsoft.com/library/hh848267
"  Overview of user and roaming settings for Office 2013 at http://technet.microsoft.com/en-
us/library/jj733593.aspx
WINDOWS TO GO 20
Configuring Windows To Go for remote access
Enabling users to access network resources from off-campus locations such as at home is an
important aspect of the Windows To Go usage scenario. To provide access to network resources,
you might deploy a remote access solution. Windows To Go can use such already-supported
remote access solutions as:
" DirectAccess DirectAccess provides an advanced remote access solution that enables built-
in security, monitoring, and integration with other Microsoft enterprise services.
" Traditional VPN-based solution A VPN is also supported as a means to enable remote
access from Windows To Go. Windows 8.1 adds support for a wider variety of VPN clients.
" Auto-triggered VPN Use an app or resource that needs access through the inbox VPN (e.g.,
a company s intranet site) and Windows 8.1 automatically prompts to sign in with one click.
This feature is available with Microsoft and third-party inbox VPN clients.
See the section  Configure Windows To Go workspace for remote access in the Deploy Windows
To Go in Your Organization guide at http://technet.microsoft.com/en-us/library/jj721578.aspx for
more information, including Windows PowerShell scripts related to the remote access deployment.
Additional resources:
"  Remote Access (DirectAccess, Routing and Remote Access) Overview at http://technet.
microsoft.com/library/hh831416
"  Deploy Windows To Go in Your Organization at http://technet.microsoft.com/en-us/library/
jj721578.aspx
" Offline Domain Join (Djoin.exe) Step-by-Step Guide at http://technet.microsoft.com/en-us/
library/dd392267(WS.10).aspx
"  What s New in Remote Access in Windows Server 2012 R2 at http://technet.microsoft.com/
en-us/library/dn383589.aspx
WINDOWS TO GO 21
Securing Windows To Go drives
A key security consideration for Windows To Go deployment is the use of BitLocker. BitLocker helps
to protect the data within the workspace if the USB drive is lost. Using BitLocker can help protect
students security and privacy in the event of a lost Windows To Go workspace.
As described earlier, BitLocker in a Windows To Go workspace does not use the TPM. The user
instead is prompted for a password to unlock the drive. You can control the password policy
through Group Policy; by default, passwords are eight characters in length.
When first inserted into the provisioning computer, the USB drive to be used for the workspace
is considered a normal removable data drive. The drive must have one or more volumes already
defined. In addition, you may need to change Group Policy settings related to BitLocker to use
the Windows To Go Creator Wizard with BitLocker. These policies, which are found in Computer
Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive
Encryption, include:
" Control use of BitLocker on removable drives Controls whether BitLocker can be used on
removable drives. This policy must be enabled.
" Configure use of smart cards on removable data drives If this policy is enabled, sign in
with your smart card prior to beginning the Windows To Go Creator Wizard.
" Configure use of passwords for removable data drives The computer on which you run
the Windows To Go Creator Wizard must be able to connect to a domain controller when this
setting, along with the Require password complexity option, are enabled.
" Require additional authentication at startup This setting, which you must also change,
enables the use of passwords with an operating system drive so that BitLocker can be
configured within the workspace. Enable the setting by selecting the Allow BitLocker
without a compatible TPM option.
An option that enables easier management of BitLocker is Microsoft BitLocker Administration and
Monitoring (MBAM). MBAM, which is part of the Microsoft Desktop Optimization Pack, is available
with Microsoft Software Assurance licensing. Visit http://www.microsoft.com/en-us/windows/
enterprise/products-and-technologies/mdop/mbam.aspx for more information on MBAM.
WINDOWS TO GO 22
Configuring BitLocker before distribution
You can configure BitLocker prior to distributing the Windows To Go
workspace to users. Doing so reduces the amount of time necessary
to enable BitLocker encryption on the drive. Importantly, it protects
the drive and workspace immediately.
Another advantage to enabling BitLocker during provisioning is
NOTE
that the recovery keys are backed up to the provisioning computer
account in Active Directory Domain Services (AD DS). In situations
Do not pre-provision
where AD DS is not used to store recovery keys, you can save the BitLocker if you will
be using a USB drive
recovery keys to a file or print the keys. In addition, you must set the
duplicator to create
password for BitLocker encryption during provisioning and instruct
multiple copies of
the user to change the password on first boot. You do so by using
Windows To Go
Windows PowerShell cmdlets. See  Deploy Windows To Go in Your
workspaces.
Organization at http://technet.microsoft.com/en-us/library/jj721578.
aspx for more information, including scripts for enabling BitLocker.
When BitLocker is enabled after provisioning, the recovery keys are
stored with the workspace s computer account.
Configuring BitLocker after distribution
You can also configure BitLocker after distribution. In this scenario,
the user (with administrative rights on the workspace) enables
BitLocker after boot. This means that you must grant administrative
privileges to the user for the workspace; it also means that the drive
and workspace are not protected by BitLocker until the user enables
the protection.
MBAM provides an alternative: You can centrally enforce BitLocker
policies that you define in Group Policy. Additionally, standard user
accounts can encrypt their drives, and MBAM provides a self-service
recovery portal that can help users quickly recover their drives if they
forget their passwords.
A potential disadvantage of configuring BitLocker after distribution
is that you must obtain recovery keys from the user if the keys are
not stored in AD DS (although you can use MBAM for this purpose,
as well). In addition, the user can store recovery keys in a file, by
printing them, or on SkyDrive. You can also define BitLocker policies
WINDOWS TO GO 23
that require AD DS storage of recovery keys, which ensures that BitLocker does not encrypt a drive
unless it can backup recovery keys to AD DS.
Additional resources:
"  Security and Data Protection Considerations for Windows To Go at http://technet.microsoft.
com/en-us/library/jj592679.aspx
"  Deploy Windows To Go in Your Organization at http://technet.microsoft.com/en-us/library/
jj721578.aspx
"  Why can t I enable BitLocker from  Windows To Go Creator ? at http://technet.microsoft.
com/en-us/library/636ac947-a781-4874-8fd0-7fc2ed2c17f6#wtg_faq_blfail
"  BitLocker Overview at http://technet.microsoft.com/en-us/library/hh831713.aspx
"  Enable BitLocker protection for your Windows To Go drive at http://technet.microsoft.com/
en-us/library/jj721578.aspx#BKMK_4wtgdeploy
" The MBAM website at http://www.microsoft.com/en-us/windows/enterprise/products-and-
technologies/mdop/mbam.aspx
WINDOWS TO GO 24
Building multiple Windows To Go drives
When you need to distribute a Windows To Go workspace to more than a few users within the
institution, you can look to bulk methods to duplicate the workspace. You can use a USB drive
duplicator to create a large number of copies of a given workspace. This scenario is appropriate
when the workspace has the same applications and tools and will be distributed to the same types
of users, such as students; it also enables you to create multiple workspaces, one for students and
one for faculty.
When using a drive duplicator, be aware of the following caveats:
" Do not boot the drive prior to duplication.
" Do not enable BitLocker on the drive.
" Do not configure offline domain join in the workspace.
Whether you need to create a single or many copies of a workspace, a Windows PowerShell cmdlet
might be appropriate. See  Advanced deployment sample script at http://technet.microsoft.com/
en-us/library/jj721578.aspx#wtg_adv_script for more information, including a sample script for
creating multiple drives with Windows PowerShell. By using Windows PowerShell, you can create
custom workspaces (e.g. based on grade, homeroom, and so on).
Additional resources:
"  Deploy Windows To Go in Your Organization at http://technet.microsoft.com/en-us/library/
jj721578.aspx
WINDOWS TO GO 25
Talking about Windows To Go
Communicate with students and faculty when introducing Windows To Go. Windows To Go
requires users to change their workflows, and they should be aware of limitations and changes
necessary to make their use of Windows To Go successful. One idea would be to provide this
information in a wiki or through a handout, as appropriate. In particular, educate users to:
" Ensure that the host computer is not in a sleep state when inserting the Windows To Go drive
" Ensure that the host computer has been fully shut down before inserting the Windows To Go
drive
" Insert the Windows To Go drive directly into the computer, not into a USB hub
" Always shut down Windows and wait for the shutdown process to finish fully before removing
the Windows To Go drive
Also, consider how Windows To Go will be supported. If training is necessary for help desk staff,
plan for that training in advance of the deployment.
Additional resources:
"  Best Practice Recommendations for Windows To Go at http://technet.microsoft.com/en-us/
library/jj592681.aspx
WINDOWS TO GO 26
Conclusion
Windows To Go is an excellent solution for educational deployments. The ability to provide a
standardized Windows experience that runs from virtually anywhere means that people can get
their work done faster and more easily than before. You can create Windows To Go workspaces
and manage them by using the same tools you already use within your organization. You can
create a Windows To Go workspace by using a wizard or Windows PowerShell, and you can
manage Windows To Go workspaces through Group Policy. To learn about other ways you can
deploy Windows 8.1 in your school, see Windows 8.1 deployment planning: A guide for education at
http://www.microsoft.com/download/details.aspx?id=39682.
WINDOWS TO GO 27
© 2014 Microsoft Corporation. All rights reserved.
This document is for informational purposes only and
is provided  as is. Views expressed in this document,
including URL and any other Internet Web site references,
may change without notice. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.